100,000 Windows Devices Still Exposed to SMBGhost FlawCOVID-19 Distractions May Have Delayed Patching, Experts Say
Almost eight months after Microsoft warned of a critical vulnerability in Windows called SMBGhost, more than 100,000 unpatched devices remain vulnerable to this flaw, according to security researchers. The bug, tracked as CVE-2020-0796, carries a CVSS 10.0 critical rating.
A hacker who exploited the vulnerability could potentially remotely execute code.
Even though Microsoft issued a patch for the SMBGhost vulnerability after it was disclosed in March, security experts note that the COVID-19 pandemic and ensuing rush to move workers into home offices may have led to delays in applying the fix.
"While there were no difficult steps involved in patching the vulnerability, the timing of the disclosure and the affected versions of Windows may have played a part in the large number of unpatched systems," Rody Quinlan, security response manager at Tenable, tells Information Security Media Group.
Based on data gathered using the Shodan search engine, which can scan for open ports that are vulnerable to a specific threat, about 103,000 Windows machines worldwide remain vulnerable to CVE-2020-0796, says Jan Kopriva, CSIRT senior lead at the Czech security firm Alef Nula. Kopriva published his findings in a SANS ICS Security report issued Thursday.
Kopriva notes Microsoft's patch was issued as an out-of-band update and not on Patch Tuesday, which may have caused some confusion (see: Microsoft Patches Wormable SMBv3 Flaw).
The timing of the March 13 patch coincided with the start of the COVID-19 shutdown and the move to a remote workforce. "At that time and to date, IT administrators have likely been focused on implementing and maintaining an infrastructure for remote working as well as maintaining existing systems remotely,” Quinlan says. “This move would have impacted normal patching cycles as organizations loosened the reins and got creative with patching over VPN. Unfortunately, some patches are so expansive they can have an impact on VPN bandwidth.”
Another issue may be poor cybersecurity hygiene, Kopriva notes.
"Just exposing [Server Message Block] to the internet goes against good security practice, so it would make some sense that people who don't configure their firewalls properly wouldn't patch their systems either," he says.
The vulnerability CVE-2020-0796 is related to the way that the Microsoft Server Message Block 3.1.1 protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client, according to the Microsoft alert from March.
To exploit the vulnerability in a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability in a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it, according to Microsoft.
Following the vulnerability disclosure in March, proof-of-concepts attacks designed to exploit CVE-2020-0796 were released in June. After the release, several successful attacks were executed, according to the U.S. Cybersecurity and Infrastructure Security Agency.
CISA recommends using a firewall to block SMB ports until the patch can be applied.